NSUserDefaults can be used without problems. Please check the documentation https://developer.apple.com/documentation/security/keychain_services
Keychain services are designed for "secrets" that the user clearly cares about, that is, passwords, private keys, or even secured notes, i.e. But access tokens are temporary hashes generated after a password is entered by the user, and have a limited time. And even in the event of theft, an attacker will not be able to completely steal an account - the owner can log in to another device and the previous access token will be reset. Thus, formally there is no ban on storing access tokens in UserDefaults.
Data from UserDefaults can only be stolen if the device itself is stolen, but I think the level of content security is much lower than the physical device itself. I think that the user will not worry about the token in this case, but about the device.
Nevertheless, it is recommended to store it in a keychain, but this is just excessive (!) Use of security, which is usually recommended to casual users on the Internet and is not required by Apple. There is no documentation from Apple, it says that tokens should be stored in a keychain (if you can find one, then please comment on one below).
So the answer is you can use both. However, if your application works with content that is expensive compared to a stolen iPhone, it is better to use Keychain, but this is just a recommendation.
Alexander Volkov Jan 16 '19 at 8:40 2019-01-16 08:40
source share